Legal Center

5 Ways Boards Expose Insurers to Cyber Risk

Laszlo Gonc and Donn Vucovich | Monday, March 07, 2016

When it comes to cyber security, due diligence is a moving target, and many boards of directors for insurance carriers are likely to miss it. Boards can exercise exemplary responsibility in many of their duties, and even take specific measures with regard to information security and still fail their companies.

They can appoint a chief information security officer (CISO), hire IT security consultants, put a cyber security plan in place—and still end up presiding over a breach that lowers stock price, harms the company`s reputation, costs millions in mitigation efforts, and may even result in personal lawsuits by investors.

It may sound far-fetched, but it has happened repeatedly to companies of all sizes. At the highest level of analysis, the reason is that e-commerce has evolved faster than enterprises have been able to adapt—business has gone from physical transactions and records to electronically executed transactions, virtual communications and digital records that are accessible electronically in perpetuity. This creates vulnerabilities that remain poorly understood by the senior management of insurers, resulting in inadequate defenses.

Here we drill down to five ways that this poor understanding leads boards of directors to expose their companies to cyberattacks and their consequences.

Lack of Relevant Experience and Skills

Boards are likely to feel responsible for understanding security audit and compliance requirements, but they are often unfamiliar with security frameworks and how to implement them. One of the biggest errors that boards make is to confuse compliance with security. As a result, their due diligence on information technology security can have a perfunctory quality: they execute what cyber security experts call “checklist security” with little understanding of why and to what degree this baseline compliance meets their company`s needs.

Recent Verizon Data Breach reports have found even PCI-compliant companies were not properly secured. While resources continue to lag demand, boards need to seek out education on the nature of electronic transactions and their vulnerabilities. Most importantly, they should study both defenses against attacks and responses in the case of a successful penetration of those defenses.

Failure to Create and Sustain a Culture of Security

Security must be driven from the top down. Technical defenses are a given, but they don`t prevent some of the most common attacks against company assets and private customer information. Even with good firewalls, the only defense against some attacks is employee awareness, both of specific threats and of the need for vigilance in general.

The leadership of companies must promote a culture of security and a concept of “security by design.” They must motivate associates with incentives to more alert behavior and claw-backs, or other disincentives, for leadership responsible for maintaining that culture of security.

Lack of Strong Governance and an Organizational Risk Management Program

Boards are aware of the need to protect their intellectual property, their data, their customers` data, and commonly ensure they do a proper audit and compliance exercise. Having done so, they feel they`ve done their job. In general such exercises have little to do with whether you have a secure organization. Audit and compliance is, at best, a baseline, not a comprehensive solution.

Practitioners of “checklist security” leave their organizations vulnerable because they fail to align measures specifically to their company`s business processes and objectives. Effective measures must be tailored both to the broad characteristics of an organization—such as doing business in geographies with heightened cyber risk—and also particular activities as they arise, such as new product initiatives, market expansion or the opening of new facilities.

Insurers setting cybersecurity policy tend to focus on the home office and its business practices while neglecting activities on the periphery of the organization. Good governance starts with understanding your critical assets, where they are in play, and knowing your end points. The latter especially because those are the most external, the most exposed and generally the most insecure.

Failure to Appropriately Fund Security Efforts

Many companies tend to invest in their first line of defense. However, few budgets address post-penetration monitoring and analysis. Planning drops significantly from the point of breach, but that`s often where the real work, the real investigation begins. If a hacker gets in, are you equipped to detect which server was attacked and which work station it started from? Can you detect what data was taken? Whose credentials were used? Many systems fall short in the post-penetration phase of the attack.

There is also a tendency to underfund training that addresses the human element of cybersecurity. Budgets are aimed—appropriately enough—on securing the network and the machines. However, many of the worst breaches occur at the human link of the cybersecurity chain.

We`ve heard many stories of lost laptops replete with customer information, or transmitting sensitive data over unsecured personal channels. Training on cybersecurity protocols in the use of mobile devices has become essential in this digital age. But business people also need to learn about the human element of attacks.

One of the greatest threats today is “spear-phishing” which works not by trolling opportunistically for a mark but by actively seeking out a specific individual, such as a company executive involved in a negotiation. This cynical practice can extend to practices such as infiltrating relatives` social media activities to glean useful insights. Executives—and all company associates—need awareness training in order to reduce exposure to this type of intrusion.

Inherent Weakness at Estimating Risk

Insurers have better reason than most to know that analyzing risks takes special skill. Research supports the conclusion that most of us are bad at evaluating risk, and corporate directors are no different.

Board members should seek expertise and educate themselves about the ever-changing nature of cyber risk. They need access to research on the behavioral science of bad decision-making. They should also seek out specific legal expertise and include a cybersecurity expert on their board.

What it Comes Down To

When it comes to cybersecurity risk, it`s not so much that insurance company boards of directors are irresponsible as that the concept of responsibility lags behind the reality of business technology. The emergence of e-commerce has created new kinds of exposure, and the continuing proliferation of new sales and service channels is multiplying exposures at an exponential rate.

In this Brave New World, cybersecurity stewardship falls within the due diligence of directors, and those who fail to tackle its challenges methodically are increasing the risk of harm to their companies` reputation and assets—and potentially even to themselves.

Laszlo S. Gonc is a partner and security, IT risk and compliance practice lead at MVP Advisory Group. Donn Vucovich is managing partner at MVP Advisory Group. You can contact Gonc at laszlo.gonc@mvpadvisorygroup.com or Vucovich at donn.vucovich@mvpadvisorygroup.com for more information.